HMRC Self Assessment: Phishing Scam

It’s bad enough that we have to pay taxes, and anyone who’s filled out the self-assessment forms from HMRC will know that they’re a minefield to work through. The service has been under fire for losing personal details on over 25 million people through what might well have been lax security.

But now, to add insult to injury, there’s also a new scam involving HMRC. It’s typical of phishing scams, in that it’s strictly an online scam, asking users to go to a website and fill out personal banking details in order to receive a refund. Users are directed to a supposedly secure site and provide their banking details, then allow between six and nine days for the refund to be processed (although they warn that the refund could be “delayed” – in fact, it will never be received, and your bank details will be in the hands of those behind the scam).

Be warned, this is a scam. The mail isn’t from HMRC, and the site is a very good-looking fake. Those who fill out self-assessment forms – essentially people who are self-employed or who have second jobs – should be aware of this online scam.

How to Identify the Scam

If you receive an e-mail purportedly from HMRC, ask yourself one thing first – how likely is it that HMRC would contact you via e-mail, especially about a potential tax refund. E-mail can happen in some instances, but the general method of contact is by letter, even though much business is conducted online. In most instances this alone should be enough to raise warning flags about an online scam. HMRC itself says it would never advise people of tax rebates via e-mail, or ask users to fill out an online form to obtain a rebate. In some cases the scam will demand that you complete the online form within two days in order to claim the refund or it will be declined. HMRC would never add such a condition.

Secondly, the mail will close with “Regards” or in some cases "Yours Sincerely" think about that: Would a service like HMRC actually use that in a mail? No, of course they wouldn’t. That’s the second tip-off.

It’s also worth paying attention to the address from which the mail is sent. It might look like a proper HMRC address, but it’s not, it’s simply “spoofed” to appear legal. Much the same applies to the site containing the form – the URL (address) looks official, but it won’t be – there will be “online” before hmrc.gov.uk, for instance, and there may well not be the padlock (indicating a secure site) in the lower right-hand corner of the screen.

So far the scam has largely tended to target charities and Community Amateur Sports Clubs – the types of organisations who would be likely to receive refunds, but there’s evidence that it’s expanded to try and exploit individuals, too.

What to Do if You Receive an HMRC Online Scam Mail

Tempting as it is to think you have a tax refund, the advice HMRC offers for dealing with these scams is the best – ignore and delete the mail. Don’t use the link to visit the site in question and never give out your banking details online. In the middle of 2008 this has been the most-reported HMRC scam.

It’s true that their security has been notoriously bad, and the reputation of HMRC hasn’t been good. But to date the idea of applying for tax refunds online, where scams abound and security is often far from perfect, hasn’t become reality. As always, don’t believe what you read in an e-mail.